Think Different

Branch.co App Invades Your Privacy

What started out as a review of the Branch app, has eventually turned into a very major privacy concern. Branch is a startup launched in 2015 to offer credit access to users in emerging markets such as Kenya through their smartphones, bypassing conventional banking loan requirements. However, I feel that the company invades the user’s personal and confidential information by accessing their call and SMS logs; this includes the Mpesa and financial transactions records without fully informing their users.

What is Branch?

Branch is a startup launched in 2015 to cater for the growing need for credit services in developing countries. The CEO of Branch is Matt Flannery the co-founder and ex-CEO of Kiva.org. Kiva is a very popular non-profit lending platform, where Matt stepped down as CEO in 2014, which is similar to the popular Zidisha.org.

Source: Branch.co

With $1.6 million in funding from Formation 8 and Khosla impact, Matt launched Branch targeting the sub-Saharan market starting with Kenya. I have always supported financial startups, especially those that cater for the small businesses and consumers that banks mostly ignore. According to Matt, “Banks only lend to rich people, and then there are micro-finance institutions, which tend to lend to lower-income communities”. Their target market is young Kenyans who are in their 20s and 30s. Nonetheless, this is not a very new service as Mkopo Rahisi by Inveture uses a similar model.

How does it Work?

In order to access Branch services, users have to download their Android app from the Play Store. I downloaded the app but I did not try out their services (more of that later). However, from what we gather you log in with your Facebook account, submit identifying information such as your ID number and your Legal names. The app will collect ‘data’ from your device once you log in, which will in turn be used to assign you a credit score. Within 24 hours you will be able to access loans, depending on your credit score but you will have to start with a limit of Sh.1000! While the company promises to raise your limit to up to Sh.50,000 over time, we feel that Sh.1000 does not qualify to be described as much of a loan and would probably not benefit any person or business in the long run. According to Branch, they have processed thousands of loans, but we are certain that if they exclude the ‘loans’ falling in the Sh.1000 to 4000 category the figures should be less than 1,000 users who have accessed actual loans.

How does Branch Invade Your Privacy?

So, why didn’t I use Branch app in spite of downloading it from the Play Store? The Branch app requests some very invasive app permissions. I have developed a habit of scrutinizing the permissions that I grant apps downloaded from the play store, and some permissions requested by the Branch app gave me some privacy concerns. An android app permission refers to the functions and data that we allow an app to access on your phone. Most users usually skip through the list of permissions they grant to apps, unaware of the security and privacy risk this can cause.

Source: Play Store

Two app permission requests from the Branch app looked very suspicious – read your text messages (SMS or MMS) and read your call log. What this means is that you are are granting the Branch app permission to read all your text messages and call logs. In our research, we came to the realization that Branch uses private and confidential SMS data from your phone to determine whether they can assign you a loan. This includes your Mpesa transaction history, Mbanking transaction history and maybe even the transaction history between you and the neighborhood shylock.

We feel that this is a blatant invasion of privacy. The worst part is that Branch attempts to cover up their invasion into their user’s privacy by not clearly explaining to their users the data they have access to and how it is handled by the Branch team. Questions by users into how they determine their credit score is always answered as follows – Branch credit score is an internal metric which is calculated internally by the system based on a number of factors and used to make lending decisions. We encourage you to contact us directly and we will be able to advise you on how you can improve your credit score.

Additionally, judging by some of the comments on the App’s page, a majority of the users hold the assumption that Branch only uses their Facebook data. The privacy policy on their website still fails to point out the involvement of private data. On the other hand, Mkopo Rahisi attempts to outline this in their privacy policy but we still believe that none of their users are aware of this. It reads in part:

Mkopo Rahisi retrieves M-Pesa and financially-qualifying SMS messages from your phone, encrypts them and sends them to our secure servers. This is done automatically from the phone application provided there is an active internet connection.

Opportunities for abuse.

When you grant an app access to your personal data, there arise very many opportunities for abuse. My biggest area of concern was Two Factor Authentication (TFA). I have secured many of my online accounts, including financial accounts, using TFA and I would certainly not feel safe if a third party will have access to my inbox where all the codes are sent. Furthermore, in order to withdraw Mpesa from an ATM you have to receive a certain code in your phone before making the withdrawal. Anyone with access to this code can withdraw your cash from anywhere without having physical access to your phone. Also, what is there to prevent a rogue staff member to make use of your confidential messages for blackmail etc.

They don’t have an iOS app because Apple does not grant any app access to read your phone’s SMSs.

A few years ago, I used to be a big fan of a not so popular comedy show that aired on KTN. In fact, I can’t remember the name of the show but I can vividly recall a segment within the show that we would joke a lot about as kids. In this segment, the comedian would walk around Nairobi and request well-dressed men to engage in some embarrassing or degrading games, such as eating 10 raw eggs within 1 minute, in exchange for Sh.1000. The segment was conveniently called just for a thao? In the same light, I will sign out by asking you – Why would you be willing to sacrifice your privacy, just for a thao?

[bctt tweet=”Why would you be willing to sacrifice your privacy just for a thao?”]

7 Comments

Fantastic items from you, man. I’ve be mindful your stuff previous
to and you are just too excellent. I really like what you have obtained here,
really like what you are stating and the way in which you assert it.
You’re making it entertaining and you still take care of to stay it wise.
I can’t wait to learn much more from you. That is really a terrific site.